Operation steps
Breakthrough [Monster Name]
1.Scanning Tuantuan Rabbit, 10 and 3 were swept out to meet the expectations. Dad, we can see more than 3 in the game with the naked eye. It is obvious that the game string should be UNICODE encoding. I said how can I not find the names of the characters, so I will go back and fill in the names of the characters.
2.Switch the UNICODE encoding, scan and see, more than 1000, select a few ods to try the water
3.See if the string is correct [Verify pass]
4.Next Access Breakpoint Try
Access breakpoint, write breakpoint after all attempts, no response, this path does not work, change one, repeat step 3
As a result, Tuantuan rabbit takes up 6 bytes and scans in another way
Target Bytes [E2 56 E2 56 54 51 00 00 00 00 00 00]
This interruption continues with dirty data, discarding [E2 56 E2 56 54 51 00 4A 1B CD BD]
There is no good way to exclude one of the more than 10
33CD6824 [E2 56 E2 56 54 51 00 00 4A 1B CD BD] Continuous Discontinuation 02E7CA3C [E2 56 E2 56 54 51 00 00 00 00 00 00] Continuous Discontinuation 05B0A704 [E2 56 E2 56 54 51 00 00 00 00 00 00] Continuous Discontinuation 05B13554 05B1377C 0EBB0E10 0EBB0E44 [E2 56 E2 56 54 51 00 00 00 00 00 00] Continuous Discontinuation 0EBE4A58 0EBE4A8C 0EC20C8C 0EC4DB52 0EC4DE72 0EC4E192 10FFADCC [E2 56 E2 56 54 51 00 00 00 00 00 00] Continuous Discontinuation 12429BB8 [E2 56 E2 56 54 51 00 00 00 00 00 00] Continuous Discontinuation 1242DF60 15202A32 15218A02 18F6B4E2 I can't get any grass.
Sweep out all the time, quit the game and log in again, scan again to see who has access to the code
Breakthrough 1 008D0429 - D9 5C 24 28 - fstp dword ptr [esp+28] 008D042D - FF 15 F862BE00 - call dword ptr [ELEMENTCLIENT.EXE+7E62F8] 008D0433 - 66 83 7D 00 00 - cmp word ptr [ebp+00],00 << 008D0438 - 0F84 B9020000 - je ELEMENTCLIENT.EXE+4D06F7 008D043E - 8B BC 24 D8000000 - mov edi,[esp+000000D8] Breakthrough 2 008D0452 - 85 C0 - test eax,eax 008D0454 - 0F84 98020000 - je ELEMENTCLIENT.EXE+4D06F2 008D045A - 66 8B 4D 00 - mov cx,[ebp+00] << 008D045E - 8D 44 24 13 - lea eax,[esp+13] 008D0462 - 50 - push eax Breakthrough 3 008D06DC - 8B 88 8C000000 - mov ecx,[eax+0000008C] 008D06E2 - E8 F9430C00 - call ELEMENTCLIENT.EXE+594AE0 008D06E7 - 66 83 7D 00 00 - cmp word ptr [ebp+00],00 << 008D06EC - 0F85 59FDFFFF - jne ELEMENTCLIENT.EXE+4D044B 008D06F2 - 8B 7C 24 44 - mov edi,[esp+44]
5.Target 33A3C22C Trace ebp Register
6.View the stack monster as shown here People come here and follow the same name
008D03E0 /$ 81EC BC000000 sub esp, 0BC Here and down breakpoint
7.As shown, follow eax
8.Formula [[ecx+C]+0*4] looks like an array, Ctrl+F9 chases ECX
00417B20 /$ 83EC 14 sub esp, 14 00417B23 |. A1 1CDFD000 mov eax, dword ptr [D0DF1C] 00417B28 |. 53 push ebx 00417B29 |. 57 push edi 00417B2A |. 8BF9 mov edi, ecx ; [[ecx+C]+0*4] 00417B2C |. 8B48 1C mov ecx, dword ptr [eax+1C] 00417B2F |. 8B51 04 mov edx, dword ptr [ecx+4] 00417B32 |. 8B4A 08 mov ecx, dword ptr [edx+8] 00417B35 |. 8B41 1C mov eax, dword ptr [ecx+1C] 00417B38 |. 8B11 mov edx, dword ptr [ecx] 00417B3A |. 894424 08 mov dword ptr [esp+8], eax 00417B3E |. FF52 4C call dword ptr [edx+4C] 00417B41 |. 8B4F 3C mov ecx, dword ptr [edi+3C] 00417B44 |. 8B5C24 24 mov ebx, dword ptr [esp+24] 00417B48 |. 894424 18 mov dword ptr [esp+18], eax 00417B4C |. 8B4424 28 mov eax, dword ptr [esp+28] 00417B50 |. 894424 28 mov dword ptr [esp+28], eax 00417B54 |. 33C0 xor eax, eax 00417B56 |. 3BC8 cmp ecx, eax 00417B58 |. 894424 10 mov dword ptr [esp+10], eax 00417B5C |. 894424 14 mov dword ptr [esp+14], eax 00417B60 |. 0F8E F1000000 jle 00417C57 00417B66 |. 55 push ebp 00417B67 |. 56 push esi 00417B68 |. 894424 14 mov dword ptr [esp+14], eax 00417B6C |> 8B77 38 /mov esi, dword ptr [edi+38] 00417B6F |. 8B4C24 14 |mov ecx, dword ptr [esp+14] 00417B73 |. 8B4424 18 |mov eax, dword ptr [esp+18] 00417B77 |. 03F1 |add esi, ecx 00417B79 |. 8B6E 10 |mov ebp, dword ptr [esi+10] 00417B7C |. 3BE8 |cmp ebp, eax 00417B7E |. 74 21 |je short 00417BA1 00417B80 |. DB87 84040000 |fild dword ptr [edi+484] 00417B86 |. 8B5C24 2C |mov ebx, dword ptr [esp+2C] 00417B8A |. D84C24 10 |fmul dword ptr [esp+10] 00417B8E |. E8 FDDC7500 |call <jmp.&MSVCRT._ftol> 00417B93 |. 8B4C24 30 |mov ecx, dword ptr [esp+30] 00417B97 |. 896C24 18 |mov dword ptr [esp+18], ebp 00417B9B |. 03C8 |add ecx, eax 00417B9D |. 894C24 30 |mov dword ptr [esp+30], ecx 00417BA1 |> 833E 00 |cmp dword ptr [esi], 0 00417BA4 |. 75 48 |jnz short 00417BEE 00417BA6 |. 8B4E 04 |mov ecx, dword ptr [esi+4] 00417BA9 |. 8B57 0C |mov edx, dword ptr [edi+C] ; ecx=0 [[edx+0*4]] [[edi+C]+0*4] 00417BAC |. 8B46 14 |mov eax, dword ptr [esi+14] 00417BAF |. 8B0C8A |mov ecx, dword ptr [edx+ecx*4] ; ecx=0 [[edx+0*4]] 00417BB2 |. 85C0 |test eax, eax 00417BB4 |. 75 04 |jnz short 00417BBA 00417BB6 |. 8B4424 34 |mov eax, dword ptr [esp+34] 00417BBA |> 8B5424 38 |mov edx, dword ptr [esp+38] 00417BBE |. 68 0AD7A33D |push 3DA3D70A 00417BC3 |. 68 000000FF |push FF000000 00417BC8 |. 6A 00 |push 0 00417BCA |. 68 0000803F |push 3F800000 00417BCF |. 6A FF |push -1 00417BD1 |. 52 |push edx 00417BD2 |. 68 000000FF |push FF000000 00417BD7 |. 6A 01 |push 1 00417BD9 |. 50 |push eax 00417BDA |. 8B01 |mov eax, dword ptr [ecx] ; [ecx] 00417BDC |. 8B4C24 54 |mov ecx, dword ptr [esp+54] 00417BE0 |. 50 |push eax 00417BE1 |. 51 |push ecx 00417BE2 |. 8B4C24 4C |mov ecx, dword ptr [esp+4C] 00417BE6 |. 53 |push ebx 00417BE7 |. E8 F4874B00 |call 008D03E0
9.The formula [[ecx+C]+0*4] looks like an array and looks at the edi value [206A9C10] because the lower breakpoint at edi = ecx [00417B20] Ctrl+F9 chases ECX to see if ECX equals this
0064F6E0 /$ 56 push esi 0064F6E1 |. 57 push edi 0064F6E2 |. 8BF9 mov edi, ecx 0064F6E4 |. 33F6 xor esi, esi 0064F6E6 |. 8B47 54 mov eax, dword ptr [edi+54] 0064F6E9 |. 85C0 test eax, eax 0064F6EB |. 7E 36 jle short 0064F723 0064F6ED |. 53 push ebx 0064F6EE |. 8B5C24 10 mov ebx, dword ptr [esp+10] 0064F6F2 |> 8B47 50 /mov eax, dword ptr [edi+50] ; [[[[edi+50]+0*4]+C]+0*4] 051F3638 [[[[051F3638 +50]+0*4]+C]+0*4] 0064F6F5 |. 8B0CB0 |mov ecx, dword ptr [eax+esi*4] ; [[[eax+0*4]+C]+0*4] 0064F6F8 |. 8B91 A4040000 |mov edx, dword ptr [ecx+4A4] 0064F6FE |. 8B81 A0040000 |mov eax, dword ptr [ecx+4A0] 0064F704 |. 52 |push edx 0064F705 |. 8B91 9C040000 |mov edx, dword ptr [ecx+49C] 0064F70B |. 50 |push eax 0064F70C |. 8B81 98040000 |mov eax, dword ptr [ecx+498] 0064F712 |. 52 |push edx 0064F713 |. 50 |push eax 0064F714 |. 53 |push ebx 0064F715 |. E8 0684DCFF |call 00417B20 ; [[ecx+C]+0*4] 256FF490 [[256FF490+C]+0*4] 0064F71A |. 8B47 54 |mov eax, dword ptr [edi+54] 0064F71D |. 46 |inc esi 0064F71E |. 3BF0 |cmp esi, eax 0064F720 |.^ 7C D0 \jl short 0064F6F2 0064F722 |. 5B pop ebx 0064F723 |> C747 54 00000>mov dword ptr [edi+54], 0 0064F72A |. 8B0D 1CDFD000 mov ecx, dword ptr [D0DF1C] ; ELEMENTC.00D11A50 0064F730 |. 6A 00 push 0 0064F732 |. E8 C992DFFF call 00448A00 0064F737 |. 8BC8 mov ecx, eax 0064F739 |. E8 D2D93500 call 009AD110 0064F73E |. 5F pop edi 0064F73F |. B0 01 mov al, 1 0064F741 |. 5E pop esi 0064F742 \. C2 0400 retn 4
Formula [[[edi+50]+04]+C]+04]
10.Formula [[[edi+50]+04]+C]+04], changing formula to [[[ecx+50]+04]+C]+04] as shown below is to pursue ecx Ctrl+F9 back to the previous level
0064F6E0 /$ 56 push esi 0064F6E1 |. 57 push edi 0064F6E2 |. 8BF9 mov edi, ecx >>>>> 0064F6E4 |. 33F6 xor esi, esi 0064F6E6 |. 8B47 54 mov eax, dword ptr [edi+54] 0064F6E9 |. 85C0 test eax, eax 0064F6EB |. 7E 36 jle short 0064F723 0064F6ED |. 53 push ebx 0064F6EE |. 8B5C24 10 mov ebx, dword ptr [esp+10] 0064F6F2 |> 8B47 50 /mov eax, dword ptr [edi+50] ; [[[[edi+50]+0*4]+C]+0*4] 051F3638 [[[[051F3638 +50]+0*4]+C]+0*4] 0064F6F5 |. 8B0CB0 |mov ecx, dword ptr [eax+esi*4] ; [[[eax+0*4]+C]+0*4] 0064F6F8 |. 8B91 A4040000 |mov edx, dword ptr [ecx+4A4]
11.Return to the formula shown as DD [[[[ebp+8]+30]+50]+04]+C]+04]
0045ADEB |. 8B4D 08 mov ecx, dword ptr [ebp+8] 0045ADEE |. 53 push ebx 0045ADEF |. 8B49 30 mov ecx, dword ptr [ecx+30] ; dd [[[[[[ebp+8]+30]+50]+0*4]+C]+0*4] 0045ADF2 |. E8 E9481F00 call 0064F6E0 ; Monster Array Traversal
esp and ebp are very different, here ebp is not the base of the stack but a common register, here we need to chase ebp
As shown below, replace the formula with DD [[[[ecx+8]+30]+50]+04]+C]+04] to chase ECX
0045AA30 /$ 83EC 44 sub esp, 44 0045AA33 |. 53 push ebx 0045AA34 |. 55 push ebp 0045AA35 |. 8BE9 mov ebp, ecx>>>>> dd [[[[[[ecx+8]+30]+50]+0*4]+C]+0*4] 0045AA37 |. 56 push esi 0045AA38 |. 57 push edi 0045AA39 |. 8B4D 08 mov ecx, dword ptr [ebp+8] 0045AA3C |. 85C9 test ecx, ecx 0045AA3E |. 0F84 80060000 je 0045B0C4 0045AA44 |. E8 0786FEFF call 00443050 0045AA49 |. 8A0D AC19D100 mov cl, byte ptr [D119AC] 0045AA4F |. 8BD0 mov edx, eax 0045AA51 |. A1 1CDFD000 mov eax, dword ptr [D0DF1C] 0045AA56 |. 895424 18 mov dword ptr [esp+18], edx 0045AA5A |. 84C9 test cl, cl 0045AA5C |. 8B78 04 mov edi, dword ptr [eax+4] 0045AA5F |. 8B70 08 mov esi, dword ptr [eax+8] 0045AA62 |. 8B58 14 mov ebx, dword ptr [eax+14] 0045AA65 |. 897C24 14 mov dword ptr [esp+14], edi 0045AA69 |. 897424 10 mov dword ptr [esp+10], esi 0045AA6D |. 0F85 A9050000 jnz 0045B01C 0045AA73 |. 8B8D C0000000 mov ecx, dword ptr [ebp+C0] 0045AA79 |. 83F9 02 cmp ecx, 2 0045AA7C |. 75 11 jnz short 0045AA8F 0045AA7E |. 85D2 test edx, edx 0045AA80 |. 74 0D je short 0045AA8F 0045AA82 |. 80BA 8C080000>cmp byte ptr [edx+88C], 0 0045AA89 |. 0F84 8D050000 je 0045B01C 0045AA8F |> 8B40 18 mov eax, dword ptr [eax+18] 0045AA92 |. 8A90 94000000 mov dl, byte ptr [eax+94] 0045AA98 |. 84D2 test dl, dl 0045AA9A |. 74 40 je short 0045AADC 0045AA9C |. 83F9 02 cmp ecx, 2 0045AA9F |. 75 3B jnz short 0045AADC 0045AAA1 |. 8B0D 94DFD000 mov ecx, dword ptr [D0DF94] 0045AAA7 |. 85C9 test ecx, ecx 0045AAA9 |. 74 31 je short 0045AADC 0045AAAB |. A1 88DFD000 mov eax, dword ptr [D0DF88] 0045AAB0 |. 83F8 0A cmp eax, 0A 0045AAB3 |. 7D 1B jge short 0045AAD0 0045AAB5 |. 8B15 90DFD000 mov edx, dword ptr [D0DF90] 0045AABB |. 8D0440 lea eax, dword ptr [eax+eax*2] 0045AABE |. 03D1 add edx, ecx 0045AAC0 |. 8D0480 lea eax, dword ptr [eax+eax*4] 0045AAC3 |. 8D0480 lea eax, dword ptr [eax+eax*4] 0045AAC6 |. D1E0 shl eax, 1 0045AAC8 |. 3BD0 cmp edx, eax 0045AACA |. 0F8F F4050000 jg 0045B0C4 0045AAD0 |> 33C0 xor eax, eax 0045AAD2 |. A3 90DFD000 mov dword ptr [D0DF90], eax 0045AAD7 |. A3 88DFD000 mov dword ptr [D0DF88], eax 0045AADC |> E8 1F3F5100 call 0096EA00 0045AAE1 |. 8BCD mov ecx, ebp 0045AAE3 |. 894424 1C mov dword ptr [esp+1C], eax 0045AAE7 |. E8 E4050000 call 0045B0D0 0045AAEC |. 84C0 test al, al 0045AAEE |. 75 1B jnz short 0045AB0B 0045AAF0 |> 68 CC0ACA00 push 00CA0ACC ; ASCII "CECGameRun::Render(), Failed to begin render!" 0045AAF5 |. 6A 01 push 1 0045AAF7 |. E8 343F5100 call 0096EA30 0045AAFC |. 83C4 08 add esp, 8 0045AAFF |. 32C0 xor al, al 0045AB01 |. 5F pop edi 0045AB02 |. 5E pop esi 0045AB03 |. 5D pop ebp 0045AB04 |. 5B pop ebx 0045AB05 |. 83C4 44 add esp, 44 0045AB08 |. C2 0400 retn 4 0045AB0B |> A1 1CDFD000 mov eax, dword ptr [D0DF1C] 0045AB10 |. 8B48 18 mov ecx, dword ptr [eax+18] 0045AB13 |. 8A91 C4000000 mov dl, byte ptr [ecx+C4] 0045AB19 |. 84D2 test dl, dl 0045AB1B |. 0F84 99000000 je 0045ABBA 0045AB21 |. 8B50 14 mov edx, dword ptr [eax+14] 0045AB24 |. 83C6 10 add esi, 10 0045AB27 |. B9 07000000 mov ecx, 7 0045AB2C |. 8D7C24 38 lea edi, dword ptr [esp+38] 0045AB30 |. F3:A5 rep movs dword ptr es:[edi], dword p> 0045AB32 |. 8B7A 04 mov edi, dword ptr [edx+4] 0045AB35 |. 83C7 14 add edi, 14 0045AB38 |. 8B47 04 mov eax, dword ptr [edi+4] 0045AB3B |. 85C0 test eax, eax 0045AB3D |. 76 77 jbe short 0045ABB6 0045AB3F |. 8B7424 10 mov esi, dword ptr [esp+10] 0045AB43 |. 33C9 xor ecx, ecx 0045AB45 |. 894C24 20 mov dword ptr [esp+20], ecx 0045AB49 |. 894C24 24 mov dword ptr [esp+24], ecx 0045AB4D |. 8B4C24 3C mov ecx, dword ptr [esp+3C] 0045AB51 |. 8D5424 20 lea edx, dword ptr [esp+20] 0045AB55 |. 894C24 28 mov dword ptr [esp+28], ecx 0045AB59 |. 52 push edx 0045AB5A |. 8BCE mov ecx, esi 0045AB5C |. 894424 30 mov dword ptr [esp+30], eax 0045AB60 |. C74424 34 000>mov dword ptr [esp+34], 0 0045AB68 |. C74424 38 000>mov dword ptr [esp+38], 3F800000 0045AB70 |. E8 5BBA5300 call 009965D0 0045AB75 |. 6A 00 push 0 0045AB77 |. 68 0000803F push 3F800000 0045AB7C |. 6A 00 push 0 0045AB7E |. 6A 01 push 1 0045AB80 |. 8BCE mov ecx, esi 0045AB82 |. E8 39B45300 call 00995FC0 0045AB87 |. 8B7F 04 mov edi, dword ptr [edi+4] 0045AB8A |. 8B4424 40 mov eax, dword ptr [esp+40] 0045AB8E |. 8D4C24 20 lea ecx, dword ptr [esp+20] 0045AB92 |. 2BC7 sub eax, edi 0045AB94 |. 51 push ecx 0045AB95 |. 8BCE mov ecx, esi 0045AB97 |. 894424 28 mov dword ptr [esp+28], eax 0045AB9B |. 897C24 30 mov dword ptr [esp+30], edi 0045AB9F |. E8 2CBA5300 call 009965D0 0045ABA4 |. 6A 00 push 0 0045ABA6 |. 68 0000803F push 3F800000 0045ABAB |. 6A 00 push 0 0045ABAD |. 6A 01 push 1 0045ABAF |. 8BCE mov ecx, esi 0045ABB1 |. E8 0AB45300 call 00995FC0 0045ABB6 |> 8B7C24 14 mov edi, dword ptr [esp+14] 0045ABBA |> 8B45 20 mov eax, dword ptr [ebp+20] 0045ABBD |. 85C0 test eax, eax 0045ABBF |. 74 4E je short 0045AC0F 0045ABC1 |. 8B4B 08 mov ecx, dword ptr [ebx+8] 0045ABC4 |. 8B70 10 mov esi, dword ptr [eax+10] 0045ABC7 |. E8 040E5300 call 0098B9D0 0045ABCC |. 8B10 mov edx, dword ptr [eax] 0045ABCE |. 8956 14 mov dword ptr [esi+14], edx 0045ABD1 |. 8B48 04 mov ecx, dword ptr [eax+4] 0045ABD4 |. 894E 18 mov dword ptr [esi+18], ecx 0045ABD7 |. 8B50 08 mov edx, dword ptr [eax+8] 0045ABDA |. 8BCE mov ecx, esi 0045ABDC |. 8956 1C mov dword ptr [esi+1C], edx 0045ABDF |. E8 AC095300 call 0098B590 0045ABE4 |. 8B43 08 mov eax, dword ptr [ebx+8] 0045ABE7 |. 8B55 20 mov edx, dword ptr [ebp+20] 0045ABEA |. 8D48 2C lea ecx, dword ptr [eax+2C] 0045ABED |. 83C0 20 add eax, 20 0045ABF0 |. 51 push ecx 0045ABF1 |. 8B4A 10 mov ecx, dword ptr [edx+10] 0045ABF4 |. 50 push eax 0045ABF5 |. E8 C6035300 call 0098AFC0 0045ABFA |. 8B45 08 mov eax, dword ptr [ebp+8] 0045ABFD |. 8B4B 04 mov ecx, dword ptr [ebx+4] 0045AC00 |. 50 push eax 0045AC01 |. 68 A03E4400 push 00443EA0 0045AC06 |. 51 push ecx 0045AC07 |. 8B4D 20 mov ecx, dword ptr [ebp+20] 0045AC0A |. E8 8105FCFF call 0041B190 0045AC0F |> 8B4D 18 mov ecx, dword ptr [ebp+18] 0045AC12 |. 85C9 test ecx, ecx 0045AC14 |. 74 1A je short 0045AC30 0045AC16 |. E8 C561FBFF call 00410DE0 0045AC1B |. 8B15 1CDFD000 mov edx, dword ptr [D0DF1C] ; ELEMENTC.00D11A50 0045AC21 |. 8B4D 18 mov ecx, dword ptr [ebp+18] 0045AC24 |. 8B82 90070000 mov eax, dword ptr [edx+790] 0045AC2A |. 50 push eax 0045AC2B |. E8 A062FBFF call 00410ED0 0045AC30 |> 8B4D 1C mov ecx, dword ptr [ebp+1C] 0045AC33 |. 85C9 test ecx, ecx 0045AC35 |. 74 12 je short 0045AC49 0045AC37 |. 8B15 1CDFD000 mov edx, dword ptr [D0DF1C] ; ELEMENTC.00D11A50 0045AC3D |. 8B82 90070000 mov eax, dword ptr [edx+790] 0045AC43 |. 50 push eax 0045AC44 |. E8 2731FCFF call 0041DD70 0045AC49 |> 8B4D 20 mov ecx, dword ptr [ebp+20] 0045AC4C |. 85C9 test ecx, ecx 0045AC4E |. 74 12 je short 0045AC62 0045AC50 |. 8B15 1CDFD000 mov edx, dword ptr [D0DF1C] ; ELEMENTC.00D11A50 0045AC56 |. 8B82 90070000 mov eax, dword ptr [edx+790] 0045AC5C |. 50 push eax 0045AC5D |. E8 1E05FCFF call 0041B180 0045AC62 |> 8B4424 18 mov eax, dword ptr [esp+18] 0045AC66 |. 85C0 test eax, eax 0045AC68 |. 74 34 je short 0045AC9E 0045AC6A |. 8A88 14050000 mov cl, byte ptr [eax+514] 0045AC70 |. 84C9 test cl, cl 0045AC72 |. 74 2A je short 0045AC9E 0045AC74 |. 6A 00 push 0 0045AC76 |. 8BCB mov ecx, ebx 0045AC78 |. E8 A3C40000 call 00467120 0045AC7D |. 8B0D 1CDFD000 mov ecx, dword ptr [D0DF1C] ; ELEMENTC.00D11A50 0045AC83 |. 6A 00 push 0 0045AC85 |. 68 0000803F push 3F800000 0045AC8A |. 68 000000FF push FF000000 0045AC8F |. 8B49 08 mov ecx, dword ptr [ecx+8] 0045AC92 |. 6A 03 push 3 0045AC94 |. E8 27B35300 call 00995FC0 0045AC99 |. E9 7C010000 jmp 0045AE1A 0045AC9E |> 6A 00 push 0 0045ACA0 |. 8BCB mov ecx, ebx 0045ACA2 |. E8 79C40000 call 00467120 0045ACA7 |. 8B15 1CDFD000 mov edx, dword ptr [D0DF1C] ; ELEMENTC.00D11A50 0045ACAD |. 6A 00 push 0 0045ACAF |. 68 0000803F push 3F800000 0045ACB4 |. 68 000000FF push FF000000 0045ACB9 |. 8B4A 08 mov ecx, dword ptr [edx+8] 0045ACBC |. 6A 02 push 2 0045ACBE |. E8 FDB25300 call 00995FC0 0045ACC3 |. 8B4D 08 mov ecx, dword ptr [ebp+8] 0045ACC6 |. 85C9 test ecx, ecx 0045ACC8 |. 74 22 je short 0045ACEC 0045ACCA |. 53 push ebx 0045ACCB |. E8 507AFEFF call 00442720 0045ACD0 |. 83BD C0000000>cmp dword ptr [ebp+C0], 1 0045ACD7 |. 75 13 jnz short 0045ACEC 0045ACD9 |. 8B4D 04 mov ecx, dword ptr [ebp+4] 0045ACDC |. E8 0F391F00 call 0064E5F0 0045ACE1 |. 85C0 test eax, eax 0045ACE3 |. 74 07 je short 0045ACEC 0045ACE5 |. 8BC8 mov ecx, eax 0045ACE7 |. E8 84F71E00 call 0064A470 0045ACEC |> 53 push ebx 0045ACED |. B9 C8DED000 mov ecx, 00D0DEC8 0045ACF2 |. E8 C9B1FEFF call 00445EC0 0045ACF7 |. A1 1CDFD000 mov eax, dword ptr [D0DF1C] 0045ACFC |. 53 push ebx 0045ACFD |. 8B48 3C mov ecx, dword ptr [eax+3C] 0045AD00 |. E8 4B91FBFF call 00413E50 0045AD05 |. 8B4B 04 mov ecx, dword ptr [ebx+4] 0045AD08 |. 6A FF push -1 0045AD0A |. 51 push ecx 0045AD0B |. 8BCF mov ecx, edi 0045AD0D |. E8 5E4F5400 call 0099FC70 0045AD12 |. 8B15 8428D400 mov edx, dword ptr [D42884] 0045AD18 |. 8A42 18 mov al, byte ptr [edx+18] 0045AD1B |. 84C0 test al, al 0045AD1D |. 74 0D je short 0045AD2C 0045AD1F |. A1 1CDFD000 mov eax, dword ptr [D0DF1C] 0045AD24 |. 8B48 28 mov ecx, dword ptr [eax+28] 0045AD27 |. E8 A41E3F00 call 0084CBD0 0045AD2C |> 8B0D 1CDFD000 mov ecx, dword ptr [D0DF1C] ; ELEMENTC.00D11A50 0045AD32 |. 8B53 04 mov edx, dword ptr [ebx+4] 0045AD35 |. 6A 00 push 0 0045AD37 |. 52 push edx 0045AD38 |. 8BB1 B4020000 mov esi, dword ptr [ecx+2B4] 0045AD3E |. 8BCE mov ecx, esi 0045AD40 |. E8 9BC05600 call 009C6DE0 0045AD45 |. 6A 00 push 0 0045AD47 |. 8BCE mov ecx, esi 0045AD49 |. E8 62AC5600 call 009C59B0 0045AD4E |. 8B43 04 mov eax, dword ptr [ebx+4] 0045AD51 |. 8BCE mov ecx, esi 0045AD53 |. 50 push eax 0045AD54 |. E8 47C45600 call 009C71A0 0045AD59 |. 6A 01 push 1 0045AD5B |. 8BCE mov ecx, esi 0045AD5D |. E8 4EAC5600 call 009C59B0 0045AD62 |. 8B4B 04 mov ecx, dword ptr [ebx+4] 0045AD65 |. 8B15 1CDFD000 mov edx, dword ptr [D0DF1C] ; ELEMENTC.00D11A50 0045AD6B |. 6A 00 push 0 0045AD6D |. 51 push ecx 0045AD6E |. 8B4A 28 mov ecx, dword ptr [edx+28] 0045AD71 |. E8 DA1C3F00 call 0084CA50 0045AD76 |. 8BB7 90000000 mov esi, dword ptr [edi+90] 0045AD7C |. 8BCE mov ecx, esi 0045AD7E |. E8 FD655700 call 009D1380 0045AD83 |. 8BCE mov ecx, esi 0045AD85 |. E8 B6665700 call 009D1440 0045AD8A |. 8BB7 8C000000 mov esi, dword ptr [edi+8C] 0045AD90 |. 8BCE mov ecx, esi 0045AD92 |. E8 B99E5300 call 00994C50 0045AD97 |. 8BCE mov ecx, esi 0045AD99 |. E8 729F5300 call 00994D10 0045AD9E |. 8B4D 18 mov ecx, dword ptr [ebp+18] 0045ADA1 |. 85C9 test ecx, ecx 0045ADA3 |. 74 09 je short 0045ADAE 0045ADA5 |. 8B43 04 mov eax, dword ptr [ebx+4] 0045ADA8 |. 50 push eax 0045ADA9 |. E8 4261FBFF call 00410EF0 0045ADAE |> 8B4D 1C mov ecx, dword ptr [ebp+1C] 0045ADB1 |. 85C9 test ecx, ecx 0045ADB3 |. 74 12 je short 0045ADC7 0045ADB5 |. 8B55 08 mov edx, dword ptr [ebp+8] 0045ADB8 |. 8B43 04 mov eax, dword ptr [ebx+4] 0045ADBB |. 52 push edx 0045ADBC |. 68 903E4400 push 00443E90 0045ADC1 |. 50 push eax 0045ADC2 |. E8 B92FFCFF call 0041DD80 0045ADC7 |> 8B45 08 mov eax, dword ptr [ebp+8] 0045ADCA |. 85C0 test eax, eax 0045ADCC |. 74 3B je short 0045AE09 0045ADCE |. 8B48 30 mov ecx, dword ptr [eax+30] 0045ADD1 |. 85C9 test ecx, ecx 0045ADD3 |. 74 34 je short 0045AE09 0045ADD5 |. 8B7424 10 mov esi, dword ptr [esp+10] 0045ADD9 |. 6A 00 push 0 0045ADDB |. 8BCE mov ecx, esi 0045ADDD |. E8 5EB55300 call 00996340 0045ADE2 |. 6A 01 push 1 0045ADE4 |. 8BCE mov ecx, esi 0045ADE6 |. E8 E5B55300 call 009963D0 0045ADEB |. 8B4D 08 mov ecx, dword ptr [ebp+8] 0045ADEE |. 53 push ebx 0045ADEF |. 8B49 30 mov ecx, dword ptr [ecx+30] ; dd [[[[[[ebp+8]+30]+50]+0*4]+C]+0*4] 0045ADF2 |. E8 E9481F00 call 0064F6E0 ; Monster Array Traversal
12.Replace the formula with DD [[[[[ebp+1C]+8]+30]+50]+04]+C]+04] ebp=ecx
13.Chasing ecx
14. *Follow ecx
14. * Ctrl+F9 is not good to catch up here, it may be unreturnable by VM, look with CE for the value [00D11A50] which lost the record target edi register
004492E0 /$ 53 push ebx 004492E1 |. 8B1D 0462BE00 mov ebx, dword ptr [<&KERNEL32.Resum>; kernel32.ResumeThread 004492E7 |. 55 push ebp 004492E8 |. 56 push esi 004492E9 |. 8B35 CC62BE00 mov esi, dword ptr [<&KERNEL32.WaitF>; kernel32.WaitForSingleObject 004492EF |. 57 push edi 004492F0 |. 8BF9 mov edi, ecx>>>>>>>>>>>>>Do not execute 004492F2 |. 83CD FF or ebp, FFFFFFFF 004492F5 |> A0 6CDBD000 /mov al, byte ptr [D0DB6C] 004492FA |. 84C0 |test al, al 004492FC |. 75 38 |jnz short 00449336 004492FE |. A1 8825D100 |mov eax, dword ptr [D12588] 00449303 |. 6A 00 |push 0 00449305 |. 50 |push eax 00449306 |. FFD6 |call esi 00449308 |. 85C0 |test eax, eax 0044930A |. 74 2A |je short 00449336 0044930C |. A0 9825D100 |mov al, byte ptr [D12598] 00449311 |. 84C0 |test al, al 00449313 |. 74 09 |je short 0044931E 00449315 |. 8B0D 7C25D100 |mov ecx, dword ptr [D1257C] 0044931B |. 51 |push ecx 0044931C |. FFD3 |call ebx 0044931E |> 8B15 8C25D100 |mov edx, dword ptr [D1258C] 00449324 |. 6A 14 |push 14 00449326 |. 52 |push edx 00449327 |. FFD6 |call esi 00449329 |. 8BCF |mov ecx, edi>>>>>>>>chase edi 0044932B |. E8 E0000000 |call 00449410 ; 6 00449330 |. 84C0 |test al, al 00449332 |. 74 09 |je short 0044933D 00449334 |.^ EB BF \jmp short 004492F5 00449336 |> 5F pop edi 00449337 |. 5E pop esi 00449338 |. 5D pop ebp 00449339 |. 33C0 xor eax, eax 0044933B |. 5B pop ebx 0044933C |. C3 retn 0044933D |> 5F pop edi 0044933E |. 8BC5 mov eax, ebp 00449340 |. 5E pop esi 00449341 |. 5D pop ebp 00449342 |. 5B pop ebx 00449343 \. C3 retn
15.It was originally the address of the formula replaced by DD [[[[[00D11A50+1C]+8]+30]+50]+04]+C]+04]
16.Instead of looking back at the data, there is one less layer of DD [[[[[[00D11A50+1C]+8]+30]+50]+04]+C]+04]]
Verify as follows: dd [[[[[[[[00D11A50+1C]+8]+30]+50]+0*4]+C]+0*4]] dd [[[[[[[[[00D0DF1C]+1C]+8]+30]+50]+0*4]+C]+0*4]] // Person Name dd [[[[[[[[[00D0DF1C]+1C]+8]+30]+50]+1*4]+C]+0*4]] 33A3BB0C 56E256E2 OD Not very friendly display ce Verification dd [[[[[[[[[00D0DF1C]+1C]+8]+30]+50]+2*4]+C]+0*4]] 33A3BB0C 56E256E2 dd [[[[[[[[[00D0DF1C]+1C]+8]+30]+50]+3*4]+C]+0*4]] 33A3BB0C 56E256E2
Summarize as follows
Traversing around the pocket westward is an array structure with code output later
dd [[[[[[[[00D11A50+1C]+8]+30]+50]+0*4]+C]+0*4]] dd [[[[[[[[[00D0DF1C]+1C]+8]+30]+50]+0*4]+C]+0*4]] // Person Name dd [[[[[[[[[00D0DF1C]+1C]+8]+30]+50]+1*4]+C]+0*4]] 33A3BB0C 56E256E2 OD Not very friendly display ce Verification dd [[[[[[[[[00D0DF1C]+1C]+8]+30]+50]+2*4]+C]+0*4]] 33A3BB0C 56E256E2 dd [[[[[[[[[00D0DF1C]+1C]+8]+30]+50]+3*4]+C]+0*4]] 33A3BB0C 56E256E2